French Cyber Law
The Loi de Programmation Militaire and Cyber Provisions
France’s strategic approach to cybersecurity is substantially shaped by successive Lois de Programmation Militaire, which establish multi-year defence and national security spending priorities including cybersecurity capabilities. The LPM 2019–2025 (Law No. 2018-607 of 13 July 2018) allocated approximately €1.6 billion for cybersecurity, funding the expansion of the Agence Nationale de la Sécurité des Systèmes d’Information, the establishment of a military cyber defence organisation (COMCYBER), and the development of offensive and defensive cyber capabilities. The LPM 2024–2030 (Law No. 2023-703 of 1 August 2023) increased cybersecurity funding to €4 billion over the period, with emphasis on artificial intelligence-driven threat detection, quantum-resistant cryptography, and the protection of national critical infrastructure against state-sponsored cyber operations. The LPM framework operates in conjunction with the national cybersecurity strategy, the Stratégie Nationale de la Cybersécurité, which articulates four strategic priorities: ensuring the security of critical infrastructure, building sovereign technological capabilities, strengthening cyber defence and deterrence, and developing cybersecurity skills and awareness across French society.
ANSSI’s Role and Regulatory Authority
The Agence Nationale de la Sécurité des Systèmes d’Information, established by Decree No. 2009-834 of 7 July 2009 and reinforced by the LPM 2013–2019, serves as France’s national cybersecurity authority. ANSSI exercises a broad mandate encompassing the protection of state information systems, the provision of technical assistance to operators of vital importance (Opérateurs d’Importance Vitale), the certification of cybersecurity products and services, the operation of the national Computer Security Incident Response Team (CERT-FR), and the development and promulgation of technical security standards and guidance. ANSSI’s regulatory authority derives from multiple statutory instruments, including the Defence Code and the Post and Electronic Communications Code. The Agency conducts mandatory security audits of OIV information systems under the Defence Code and issues binding directives requiring remediation of identified security deficiencies. ANSSI also operates the Passi (Prestataires d’Audit de la Sécurité des Systèmes d’Information) certification scheme for security auditors and administers the SecNumCloud qualification framework for cloud service providers, which has become a de facto requirement for French government cloud procurement following the adoption of the National Strategy for Cloud Computing.
Transposition of the NIS Directive
France transposed the NIS Directive through Law No. 2018-133 of 26 February 2018 (the Loi transposant la directive NIS) and Decree No. 2018-384 of 23 May 2018, establishing the regulatory framework for operators of essential services and digital service providers. The French regime designates operators of vital importance under the Defence Code as the operators of essential services for NIS purposes, supplemented by additional sectors including social security, space, and research. The legislation requires OIVs to implement security measures consistent with ANSSI’s published security rules, to report security incidents to ANSSI, and to submit to security audits conducted by ANSSI or by approved third-party auditors. ANSSI’s enforcement powers include the ability to issue formal notices, impose administrative sanctions, and refer matters to the public prosecutor for criminal proceedings. The transposition of NIS 2 is being effected through the Loi NIS 2 (Proposition de Loi No. 2024-xxx), which expands the scope of covered entities to approximately 15,000 organisations across eighteen sectors, introduces a tiered obligation structure distinguishing between important and essential entities, and increases maximum administrative fines to at least €10 million or two per cent of annual worldwide turnover.
The Loi pour une République Numérique
Law No. 2016-1321 of 7 October 2016, the Loi pour une République Numérique, introduced significant reforms to French digital law, including provisions affecting cybersecurity and data protection. The law establishes a right to data portability (Article 49), mandates transparency obligations for online platforms regarding content recommendation algorithms, and creates a framework for the declaration of security vulnerabilities and the reporting of cyber incidents. Article 47 of the law requires hosting providers to implement proportionate security measures and to notify the CNIL without delay in the event of a personal data breach. The République Numérique legislation also introduced a mechanism for the administrative authority to impose penalties of up to five per cent of annual turnover for failure to cooperate with investigations, complementing the CNIL’s existing enforcement powers. The law’s provisions on digital loyalty obligations seek to prevent unfair practices in consumer contracts for digital services and to promote transparency in platform-to-business relations.
CNIL Enforcement in Cybersecurity
The Commission Nationale de l’Informatique et des Libertés, France’s independent data protection authority, exercises substantial enforcement powers in the cybersecurity domain through its authority under the GDPR, the French Data Protection Act (Law No. 78-17 of 6 January 1978, as amended), and the Loi pour une République Numérique. The CNIL has imposed significant monetary penalties for cybersecurity failures, including a €50 million fine against Google LLC in 2019 for violations of transparency and information obligations (later confirmed on appeal by the Conseil d’État in Google LLC v CNIL, No. 430810, 2020), and a €10 million fine against Bouygues Telecom in 2023 for inadequate security measures leading to a data breach affecting approximately 190,000 customers. The CNIL’s enforcement practice emphasises the importance of Article 32 GDPR compliance requiring controllers and processors to implement appropriate technical and organisational measures, including pseudonymisation, encryption, confidentiality, integrity, availability, and resilience of processing systems, and regular testing of security measures. The CNIL publishes sector-specific security recommendations and maintains a Cybersecurity and Data Protection guidance page addressing incident response, vulnerability management, and supply chain security.
Code Pénal Cyber Offences
The French Penal Code criminalises computer-related offences in Articles 323-1 through 323-8, inserted by the Law of 5 January 1988 on Computer Fraud and modified by Law No. 2004-575 of 21 June 2004 on Confidence in the Digital Economy and Law No. 2011-267 of 14 March 2011 on Internal Security. Article 323-1 criminalises unauthorised access to or remaining within an automated data processing system with a sentence of up to two years’ imprisonment and a €60,000 fine, increased to three years and €100,000 where access causes modification or deletion of data. Article 323-2 criminalises the hindering of the functioning of an automated data processing system — denial of service attacks — with a sentence of up to five years’ imprisonment and a €150,000 fine. Article 323-3 criminalises the fraudulent introduction, deletion, or modification of data within a system, with a sentence of up to five years’ imprisonment and a €150,000 fine. Article 323-3-1, added by Law No. 2012-410, criminalises data extraction. Articles 323-4 and 323-4-1 address organised criminal group involvement, carrying increased penalties of up to ten years’ imprisonment and €300,000 fines. Article 323-5, added by Law No. 2014-1353 on the Prevention of Cyber Attacks, criminalises the production, possession, and distribution of devices or programmes designed or adapted to commit cyber offences. The Code de la Défense (Articles L. 2321-1 to L. 2321-3) establishes supplementary criminal penalties for attacks against classified information systems.